• 90% of passwords are crackables
• 65% of people use the same password
• We should care about people
Authentication is different of authorization. Authentication is something you know like a password. Authentication libraries exist on Elixir, Coherence (https://hex.pm/packages/coherence), works like on Ruby. To initialize coherence, only run: mix coherence.install --full.
Another great library is Ueberauth (https://hex.pm/packages/ueberauth), plug based authentication module. Request phase (get credentials somewhere else), next, Callback phase, finally, we can create strategies to manage specific authentications.
Authentication with email, with good libraries on elixir. POT (https://hex.pm/packages/pot/0.9.7) to generate one time password (OTP). it works by taking a secret and add time validation. Pretty straightforward.
Authorization is about keeping request, check the validity and valid if the user has the right to do this action. JSON Web Tokens or JWT (https://jwt.io/), works with an header (algorithm), a payload (information) and a signature (MAC). How JWT work:
client → server(jwt) client(header(jwt)) → server client → server(response)``` Guardian (https://github.com/ueberauth/guardian) library implement JWT in Elixir. Create a new pipeline with Guardian.Plug.VerifySession (https://hexdocs.pm/guardian/Guardian.Plug.VerifySession.html) and Guardian.Plug.LoadResource (https://hexdocs.pm/guardian/Guardian.Plug.LoadResource.html). These pipeline can be added in every needed scope. Summary: we have a problem with passwords. We should use multi-factor authentication. Stateless auth is great. Elixir has lot of auth libraries. Author created keeper (https://github.com/joaomdmoura/keeper).